To Reset a Password With the Password
Modify Extended Operation

User accounts are locked when passwords expire. When you reset the password,
you unlock the account. The password can be reset by another user such as
an administrator. After password reset, Directory Server unlocks the user
account. Directory Server provides support for RFC 3062, LDAP Password Modify
Extended Operation. The extended operation enables you
to allow a directory administrator or a directory application to unlock accounts
through password reset.

Be cautious when allowing use of the password modify extended operation,
as shown in this procedure. Limit access to administrators and applications
that you trust. Do not allow passwords to travel over the network in clear
text.

You cannot use DSCC to perform this task. Use the command line, as described in this procedure.

Give users access to a password administrator or to a password
administration application.

Allow the password administrator access to use the password modify
extended operation.

The following commands set an ACI to allow
members of a Password Managers role to use the password
modify extended operation when connected over SSL: